W32/Rbot-AWV is a worm and IRC backdoor Trojan for the Windows platform.
W32/Rbot-AWV runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.
W32/Rbot-AWV spreads using a variety of techniques including exploiting weak passwords on computers and SQL servers, exploiting operating system vulnerabilities (including LSASS, WebDAV, PNP and UPNP) and using backdoors opened by other worms or Trojans.
W32/Rbot-AWV can be controlled by a remote attacker over IRC channels. The backdoor component of W32/Rbot-AWV can be instructed by a remote user to perform the following functions:
start an FTP server
take part in distributed denial of service (DDoS) attacks
capture screen/webcam images
packet sniffing
port scanning
download/execute arbitrary files
start a remote shell (RLOGIN)
When first run W32/Rbot-AWV copies itself to <System>\plscdksxg.exe.
The following registry entries are created to run plscdksxg.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft Visual Studio
plscdksxg.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Microsoft Visual Studio
plscdksxg.exe
Registry entries are set as follows:
HKCU\Software\Microsoft\OLE
Microsoft Visual Studio
plscdksxg.exe
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
Patches for the operating system vulnerabilities exploited by W32/Rbot-AWV can be obtained from Microsoft at:
http://www.microsoft.com/technet/security/bulletin/ms01-059.mspx
http://www.microsoft.com/technet/security/bulletin/ms03-007.mspx
http://www.microsoft.com/technet/security/bulletin/ms03-049.mspx
http://www.microsoft.com/technet/security/bulletin/ms04-007.mspx
http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx
http://www.microsoft.com/technet/security/bulletin/ms04-012.mspx
http://www.microsoft.com/technet/security/bulletin/ms05-039.mspx